Method and apparatus for transparently proxying a connection

ABSTRACT

A system and method are disclosed for transparently proxying a connection to a protected machine. The method includes monitoring a communication packet on a network at a proxy machine. The communication packet has a communication packet source address, a communication packet source port number, a communication packet destination address, and a communication packet destination port number. The proxy determines whether to intercept the communication packet based on whether the communication packet destination address and the communication packet destination port number correspond to a protected destination address and a protected destination port number stored in a proxy list. The proxy then determines whether to proxy a proxied connection associated with the communication packet based on the communication packet source address and the communication packet source port number. A protected connection is terminated from the proxy machine to a protected machine. The protected machine corresponds to the communication packet destination address and the communication packet destination port number. A response is formed to the communication packet under a network protocol by sending a responsive packet from the proxy machine. The responsive packet has a header having a responsive packet source address and a responsive packet source port number such that the responsive packet source address and the responsive packet source port number are the same as to the communication packet destination source address and the communication packet destination port number.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is related to co-pending application Ser. No.08/903,823, entitled Method and Apparatus for Reducing Overhead on aProxied Connection, is incorporated herein by reference for allpurposes.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to methods and apparatuses fortransparently proxying a connection. More specifically, the inventionrelates to methods and apparatuses for intercepting packets or datagramsfrom a client bound for a server and establishing a client connectionwith the client. A server connection is also established with the serverand data is passed to and from the client and the server via the twoconnections.

2. Description of the Related Art

Proxies

In many network applications, it is often desirable or necessary toprevent a user from making a connection to a first machine at one IPaddress that has information that the user needs and instead service aninformation request with a second machine at a different IP address. Forexample, it is often desired from a security standpoint not to allowconnections from potentially hostile machines to a machine that storessensitive information. Instead, it may be required that a connectionfirst be made to a proxy which itself has various security features suchas user authentication and possibly encryption.

The user requests the information from the proxy and the proxyestablishes a connection with the machine that is being protected andobtains the information. If the protected machine determines that theuser is authorized to receive the information, the proxy can then relaythe information to the user that requested it. The proxy thus stands infor the machine that stores the sensitive information and preventsoutside users from connecting directly to the protected machine.Instead, the user must first request the information from the proxy andonly the proxy connects with the protected machine. The protectedmachine is insulated from contact with potentially dangerous outsidecontact.

In a proxy arrangement that is used for security, the proxy generallyfirst identifies and authenticates the user who is requestinginformation from a machine at a target IP address. In the discussionthat follows, the user requesting information will be referred to as theclient and the protected machine that is providing information will bereferred to as the server. It should be noted that in certain situationsthe client and server designations may be reversed. The machine that isprotected (in the example above, the server) is also referred to as theproxied machine at the proxied address. In some applications, theproxied machine is also referred to as the target machine at the targetaddress because it is the machine that the client or user actuallyintends to access and from which the user expects to obtain data or someother service.

The target machine is distinguished from the proxy because the user doesnot generally desire to retrieve information from or contact the proxyother than for the purpose of authenticating himself or otherwisepreparing for the desired connection with the target machine. Themachine that acts as a proxy is called the proxy machine at the proxyaddress. The user making the connection is referred to as the user orthe client. When a proxy is used, the user connects to the proxy machineat the proxy IP address and never actually makes a connection to theproxied machine at the proxied IP address.

Another example of a situation in which a proxy may be desirable is aweb cache. It may be desirable to store certain information that isavailable from a primary web site at a first IP address at a web cachelocated at another IP address. In this situation, the user is directedto the IP address of the web cache for the information, and, if theinformation requested is not found in the cache, then the web cacheconnects to the IP address of the first web site, obtains theinformation and then transfers it to the user.

FIG. 1 is a block diagram illustrating a proxied connection. A client100 has an IP address of aaa.1. Client 104 wishes to obtain informationfrom a server 102 that has an IP address bbb.1. Client 100, however, isnot authorized to connect to server 102. Client 100 therefore must makea connection to a proxy 104 which has an IP address of xxx.1. Proxy 104is authorized to make a connection to server 102.

In the example illustrated, client 100 connects to proxy 104 via theInternet 110. It should be noted that on other embodiments, the clientconnects to the proxy via some other internet or intranet. To connect toproxy 104 via the Internet, client 100 must know the IP address, xxx.1,of proxy 104 so that a connection can be made to proxy 104. Furthermore,client 100 must obtain authorization to log onto proxy 104. Usually,this is done by some sort of authentication or password procedure. Onceclient 100 has successfully logged on to proxy 104, client 100 mayrequest proxy 104 to make a connection to server 102 and obtain datathat is contained on server 102.

Once client 100 has successfully logged on to proxy 104, client 100requests that the proxy establish a connection and log onto the server.The client sends datagrams or packets to the proxy and the proxy relaysthem to the server. It should be noted that in the following descriptionthe terms datagram and packet are used interchangeably to refer tomessages or portions of messages sent to or from a network device.Generally, the client must also specify to the proxy the IP address ofthe server that it wishes to access so that the proxy can make aconnection to the server. Once a connection with the server isestablished, then proxy 104 reads the data received from the client andrelays the data to the server via the server connection. Likewise, theproxy reads the data received from the server and relays the data to theclient via the client connection.

Typically, the client is required to log on to the proxy to getauthorization to send information to the proxy to be relayed to theserver and then the client must again log onto the server through theproxy. Although the proxy makes its own direct connection with theserver which may require authentication of the proxy, the server in mostcases will run a separate process to verify that the user of the proxyis authorized to get the information from the server that is beingrequested. Thus, the proxy protects the server from a direct connectionwith a hostile source, but the server still must ensure that the user ofthe proxy is authorized to obtain the requested information. If the sameinformation is required by the proxy and the server, then theinformation often must be supplied twice, once during authentication tothe proxy and once during authentication to the server. Thus, the clientmust know to request the proxy address and then go through two separateauthentication procedures in order to successfully obtain informationfrom the server.

Certain proxy programs simplify the process somewhat by allowing theclient to provide both a proxy password and a server password in asingle step when the client signs on to the proxy. In some instances, asingle password is used for both the proxy and the server. Nevertheless,the client still must know to contact the proxy. As a result, when aproxy is changed, many separate client applications must often bereconfigured to contact the appropriate proxy.

The use of a proxy as described above requires the user to log onto theproxy at the proxy IP address. It is thus evident to the user that aproxy is being used. Furthermore, in some situations, the user isrequired to go through two separate security procedures, one to log ontothe proxy, and a second to log onto the target machine or server. Itwould be desirable if a proxy could be provided that operated in atransparent manner so that the user would not be aware of the operationof the proxy and would not be required to go through two separatesecurity procedures. Such a proxy would also eliminate the need toreconfigure a large number client applications when a proxy is changed.

SUMMARY OF THE INVENTION

Accordingly, the present invention provides a proxy that operatestransparently. The proxy intercepts a connection request from a clientto a server and establishes a connection with the client, acting onbehalf of a server and for all purposes appearing to the client to bethe server. Information requests from the client are relayed to theserver and information from the server is relayed to the client by theproxy. The proxy inspects the data sent by the client and modifies itwhere appropriate. In some embodiments, the client need not log ontoboth the proxy and the server and it may in fact never be evident to theclient that the connection is being proxied.

It should be appreciated that the present invention can be implementedin numerous ways, including as a process, an apparatus, a system, adevice, a method, or a computer readable medium. Several inventiveembodiments of the present invention are described below.

In one embodiment, a system and method are disclosed for transparentlyproxying a connection to a protected machine. The method includesmonitoring a communication packet on a network at a proxy machine. Thecommunication packet has a communication packet source address, acommunication packet source port number, a communication packetdestination address, and a communication packet destination port number.The proxy determines whether to intercept the communication packet basedon whether the communication packet destination address and thecommunication packet destination port number correspond to a protecteddestination address and a protected destination port number stored in aproxy list. The proxy then determines whether to proxy a proxiedconnection associated with the communication packet based on thecommunication packet source address and the communication packet sourceport number. A protected connection is terminated from the proxy machineto a protected machine. The protected machine corresponds to thecommunication packet destination address and the communication packetdestination port number. A response is formed to the communicationpacket under a network protocol by sending a responsive packet from theproxy machine. The responsive packet has a header having a responsivepacket source address and a responsive packet source port number suchthat the responsive packet source address and the responsive packetsource port number are the same as to the communication packetdestination source address and the communication packet destination portnumber. Thus, the proxy machine terminates a protected connection to theprotected machine and the proxy machine responds to the communicationpacket acting on behalf of the protected machine and the proxy machineappears to be the protected machine.

These and other features and advantages of the present invention will bepresented in more detail in the following specification of the inventionand the accompanying figures which illustrate by way of example theprinciples of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be readily understood by the followingdetailed description in conjunction with the accompanying drawings,wherein like reference numerals designate like structural elements, andin which:

FIG. 1 is a block diagram illustrating a proxied connection.

FIG. 2 shows a typical computer-based system which may be used as atransparent proxy.

FIG. 3 is a block diagram of a transparent proxy at an IP address xxx.1that proxies a connection from a client at an IP address aaa.2 to aserver at IP address bbb.2.

FIG. 4 is a process flow diagram illustrating a process implemented on aproxy for routing packets received from client as shown in FIG. 3.

FIG. 5 is a block diagram illustrating the data structure contained inthe proxy quad list.

FIG. 6 is a process flow diagram illustrating the process fordetermining whether to establish an outgoing connection and establishingan outgoing connection with the server so that data from packetsintercepted from clients to be proxied can be transferred to the server.

FIG. 7 is a block diagram illustrating how a transparent proxy handles aproxied connection between a client and a server.

FIG. 8 is a process flow diagram illustrating in detail the processimplemented by the proxy for handling data packets which are relayed tothe server. FIG. 9 is a process flow diagram illustrating the processfor closing a connection.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Reference will now be made in detail to the preferred embodiment of theinvention. An example of the preferred embodiment is illustrated in theaccompanying drawings. While the invention will be described inconjunction with that preferred embodiment, it will be understood thatit is not intended to limit the invention to one preferred embodiment.On the contrary, it is intended to cover alternatives, modifications,and equivalents as may be included within the spirit and scope of theinvention as defined by the appended claims. In the followingdescription, numerous specific details are set forth in order to providea thorough understanding of the present invention. The present inventionmay be practiced without some or all of these specific details. In otherinstances, well known process operations have not been described indetail in order not to unnecessarily obscure the present invention.

TCP/IP

The present invention will be described as being implemented usingTCP/IP. It should be recognized that other protocols such as UDP or ILmay be used in other embodiments. TCP/IP was developed in the mid 1970swhen the Defense Advanced Research Project Agency (DARPA) was interestedin providing packet-switched network communications between the manyresearch institutions in the United States. DARPA and other governmentorganizations understood the potential of packet-switched technology andwere just beginning to discover that virtually all companies withnetworks needed to support communication among dissimilar computersystems.

With the goal of heterogeneous connectivity in mind, DARPA fundedresearch by Stanford University and Bolt, Beranek, and Newman to createa series of communication protocols. The result of that developmenteffort, completed in the late 1970's, was the Internet protocol suite,of which the Transmission Control Protocol TCP) and the InternetProtocol (IP) are the two best-known members.

TCP

TCP is a connection-orientated transport layer protocol that sends dataas an unstructured stream of bytes. By using sequence numbers andacknowledgment messages, TCP can provide a sending node with deliveryinformation about packets transmitted to a destination node. Where datahas been lost in transit from source to destination, TCP can retransmitthe data until either a timeout condition is reached or until successfuldelivery has been achieved. TCP can also recognize duplicate messagesand will discard them appropriately. If the sending computer istransmitting too fast for the receiving computer, TCP can employ flowcontrol mechanisms to slow data transfer. TCP can also communicatedelivery information to the upper-layer protocols and applications itsupports. As a result of these capabilities, TCP is a connectionoriented protocol. The information required for the sequencing,acknowledgment, and error correcting referred to above is stored andaccessed by TCP in a data structure referred to as a TransmissionControl Block (TCB).

IP

IP is the primary network layer protocol in the Internet suite. Inaddition to internetwork routing, IP provides error reporting andfragmentation and reassembly of information units called datagrams fortransmission over networks with different maximum data unit sizes. IPrepresents the heart of the Internet protocol suite.

In the TCP/IP protocol, in order to properly route packets, it isnecessary to use the source IP address and port number and thedestination IP address and port number found in the packet header. Thesefour quantities together will be referred to as a “quad”. They will bestored at numerous points and accessed or modified in the system andmethod taught by the present invention in its various embodiments.

Network Environment and Network Devices

The system and method described herein may be usefully implemented on anumber of network devices. Generally, the device on which the presentinvention is implemented will be referred to as a proxy or proxymachine. The present invention is useful in proxied applications thatrequire a user to connect with a proxy machine that is different fromthe machine that holds the information that the user wants or to whichthe user otherwise wants to connect. A terminated connection is made tothe proxy so that the proxy application can be run. Typically, the proxyapplication is some sort of security or authentication application, butin some embodiments the proxy application is some other initialapplication such as a web cache application that runs on a proxymachine. In a security application, the proxy machine authenticates theuser and then passes information back and forth between the user and theserver. In one embodiment, the present invention makes it possible forthe user to log in only to the server. The transparent proxy interceptsthe connection and it is not evident to the client that the machinerunning transparent proxy application even exists.

As noted above, the term proxy is used to refer to a device whichterminates a connection from a client in the place of or as a proxy foranother device which is the actual server or target for the client'sconnection request. In one embodiment, the present invention isimplemented as a cut through transparent proxy whose existence andoperation is not evident to the client such as is described in U.S.patent application Ser. No. 08/903,823, entitled Method and Apparatusfor Reducing Overhead on a Proxied Connection, which is hereinincorporated by reference for all purposes.

In one embodiment, a transparent proxy is used to implement userauthentication for a private internet exchange (PIX) that includes userauthentication and security such as is described in U.S. patentapplication Ser. No. 08/552,807It should also be noted a transparentproxy may be a PIX or other type of firewall or network addresstranslation device, or a web server, web cache, or other network device.In some cases, the web server may be a multi-homed webserver. A PIX is anetwork device used to translate IP addresses. A PIX can be used toshare a single IP address among a number of devices or as a firewall.When a connection is attempted from outside the network served by thePIX, it is often desirable to implement user authentication on the PIXso that the connection will not be made to a device on the networkserved by the PIX unless the user is authorized to make the connection.Thus, the user or client can log onto the PIX, terminate a connectionwith the PIX and the security application on the PIX is run toauthenticate the user.

While reference will be made below to a proxy used as a network securitydevice like the PIX that includes security functions, it should be notedthat the cut through proxy may be implemented in other network devicessuch as a web server or web cache which may or may not include securityfunctions.

When network security is implemented on a PIX implemented as atransparent proxy, once a single authentication is complete, then it hasbeen determined that the user is authorized to establish the desiredconnection PIX and to obtain information from the server. The PIXintercepts a connection request from the client to the server andanswers it as if the PIX were the server. Meanwhile, the PIX establishesa connection with the server. The PIX obtains all information needed toauthenticate the user to use the PIX and to connect to the server byinspecting the data packets from the client and the server and modifyingthe data as required while maintaining state. If the PIX wereimplemented as a conventional proxy, then a separate login would berequired for both the PIX and the server. Even if the authenticationprocess were automated, applications must be configured to work with theproxy, connecting first to the proxy. Once authentication is complete,the PIX continues to inspect and modify packets as needed while keepingtrack of the state of the connection.

FIG. 2 shows a typical computer-based system which may be used as atransparent proxy. Shown is a computer 210 which comprises aninput/output circuit 212 used to communicate information inappropriately structured form to and from the parts of computer 210 andassociated equipment, a central processing unit 214, and a memory 216.These components are those typically found in most general and specialpurpose computers 210 and are intended to be representative of thisbroad category of data processors.

Connected to the input/output circuit 212 are inside and outside highspeed Local Area Network interfaces 218 a and 218 b. The insideinterface 218 a will be connected to a private network, while theoutside interface 218 b will be connected to an external network such asthe Internet. Preferably, each of these interfaces includes (1) aplurality of ports appropriate for communication with the appropriatemedia, and (2) associated logic, and in some instances (3) memory. Theassociated logic may control such communications intensive tasks aspacket integrity checking and media control and management. The highspeed interfaces 218 a and 218 b are preferably multiport Ethernetinterfaces, but may be other appropriate interfaces such as FDDIinterfaces, etc.

The computer system may also include an input device (not shown) such asa keyboard. A flash memory device 222 is coupled to the input/outputcircuit 212 and provides additional storage capability for the computer210. The flash memory device 222 may be used to store programs, data andthe like and may be replaced with a magnetic storage medium or someother well known device. It will be appreciated that the informationretained within the flash memory device 222, may, in appropriate cases,be incorporated in standard fashion into computer 210 as part of thememory 216.

In addition, a display monitor 224 is illustrated which is used todisplay the images being generated by the present invention. Such adisplay monitor 224 may take the form of any of several well-knownvarieties of cathode ray tube displays and flat panel displays or someother type of display.

Although the system shown in FIG. 2 is a preferred computer system ofthe present invention, the displayed computer architecture is by nomeans the only architecture on which the present invention can beimplemented. For example, other types of interfaces and media could alsobe used with the computer.

FIG. 3 is a block diagram of a transparent proxy 300 at an IP addressxxx.1 that proxies a connection from a client 302 at an IP address aaa.2to a server 304 at IP address bbb.2. The transparent proxy proxies theconnection between the client and the server without the client beingaware of the fact that the connection is being proxied.

When client 302 desires to connect to server 304, client 302 sends a SYNpacket to server 304 at the address bbb.2. Client 302 does not send aSYN packet to proxy 300, and, as noted above, client 302 may not even beaware of the existence of proxy 300. Proxy 300 is placed in thecommunications path of server 304 in a position to monitor all packetswhich are routed to server 304. Instead of acting as a proxy only when aconnection is made to it, proxy 300 actively intercepts and reads allpackets that are directed to client 302 that satisfy certain criteria asdescribed below.

When a packet is received by the proxy from the communication path tothe server, the packet is processed by a client network protocol stack308 through a series of layers. The packet comes in through a physicallayer 310. Typically, the physical layer implements Ethernet or someother well known protocol. Packets are passed up to an IP layer 311 andare processed according to the IP protocol. The TCP/IP protocol resolvesthe source IP address, the source port number, the destination IPaddress, and the destination port number, which are all found in the IPheader. These four numbers will hereinafter be referred to as a “quad.”Together, the numbers in the quad specify completely the source anddestination of the packet.

In addition to the standard implementation of the IP protocol, thetransparent proxy includes an intercepting controller 312 in the IPlayer. In a conventional IP implementation, the IP protocol looks at theIP address of each incoming datagram and processes packets which have anIP address that corresponds to the IP address of the machine on whichthe protocol is running, without referring to the port number. In thetransparent proxy, Intercepting controller 312 analyzes the quad (whichincludes the port number) of each incoming packet and compares the quadto a proxy quad list 314 which is accessible to the process running themodified IP layer protocol that includes the intercepting controller.

Intercepting controller 312 determines whether the incoming packetshould be routed to a local application 316 which processes incomingpackets intended to communicate directly with the proxy itself.Intercepting controller 312 also determines whether the incoming packetcorresponds to a proxied connection, whether the incoming packet is aSYN packet that corresponds to a new connection that should be added tothe proxy quad list, or whether the packet should be dropped. If thepacket corresponds to a proxied connection, it's data is read andrelayed to a server network protocol stack 320 that manages a connectionwith server 304.

Thus, the intercepting controller intercepts packets for either localapplication 316 or proxy application 318. Both types of packet are sentup through the TCP layer 313. The TCP application hashes the quad andlooks up the result in a hash table. The packet is then sent to theapplication socket that is found in the hash table. An application readsand writes data to the socket. Thus, the IC routes packets sent to theproxy application and proxied packets to the TCP layer. The TCP layerroutes packets to the appropriate socket for the packet.

Intercepting controller 312 further determines whether to drop packetsfor certain connections which do not have a destination IP addressnumber corresponding to the proxy and which are not found in the proxyquad list. Thus, intercepting controller filters out packets that arenot to be sent to the server or directly to the proxy so that the TCPprocess does not need to set up a TCB or devote processing time to suchpackets. Data from such packets is not passed to the proxy applicationand is not relayed to server 304. It should be noted that, although onlyone server is shown being proxied in FIG. 3, in most applications, theproxy will function as a proxy for multiple servers at the same timereceiving connections from many clients. Also, intercepting controller312 acts as a filter to prevent new proxied connections from beingestablished for SYN packets which do not come from an authorized source.

Security is implemented both in the intercepting controller and in theproxy application. The intercepting controller filters packets fromunauthorized sources and the proxy application checks the contents ofpackets. Proxy application 318 also performs an additional securityfunction of authenticating the user and authorizing the proxiedconnection in the first place. As noted above, authenticaton by theproxy application for the purpose of authorizing access to the proxy isperformed at the same time as authentication by the server in someembodiments. Thus, bad packets are filtered both by the interceptingcontroller residing in the IP layer based on the sender IP address andport number of the packet and bad packets are also eliminated in theproxy application based on their content. Packets which are determinedto come from an authorized source are read and their data is forwarded,and, in some embodiments, modified where appropriate by the proxyapplication. Packets are forwarded to the server via a connection madewith the server using server network stack 320.

Thus, intercepting controller 312 is provided as part of a modified IPlayer of proxy 300 that processes incoming packets intended for server304. Intercepting controller 312 filters packets based on the proxy quadlist. Packets which have an appropriate source IP address and portnumber are sent to proxy application 318 where further security orauthentication may be implemented. Data from packets which passauthentication by proxy application 318 is forwarded by the proxyapplication to the server network stack. The server network stackmanages the relay of the data from proxy application 318 to server 304.Note that client 302 sends packets to the server IP address, not to theIP address of the proxy. The proxy intercepts those packets and forwardsdata from the packets to the server if appropriate.

FIG. 4 is a process flow diagram illustrating a process implemented onproxy 300 for routing packets received from client 302 as shown in FIG.3. The process starts at 400. In step 402, the proxy receives a packetand the packet is routed through the network layer to the modified IPlayer. Next, in a step 404, the modified IP layer reads the quad fromthe packet header. The intercepting controller checks in a step 406whether the destination IP address is the address of the proxy. If itis, then control is transferred to a step 408 and the packet is passedup to the TCP layer. It should be noted that in some embodiments boththe destination and the port number of the packet is checked todetermine whether it should be routed to the proxy local application.The connection is handled according to the TCP protocol and the data issent to the proxy local application. The purpose of this path is toenable communication to be made on the network directly to the proxyitself. Once the connection is handled and data is processed by theproxy local application, the process ends until another packet isreceived.

If the destination IP address of the packet is not the IP address of theproxy, then control is transferred to a step 410. In step 410, the proxyquad list is checked to determine whether the quad corresponds to aconnection that is being proxied. If it is, then the packet is passed upthrough the client network stack to the proxy application and the proxyapplication handles the data packet in a step 412, forwarding data tothe server as appropriate. Step 412 is described in greater detail inFIG. 8. Once this is done the process ends for that data packet and thesystem continues to handle other data packets as they are received. Ifthe connection is not in the proxy quad list, then control istransferred to a step 414 which determines whether or not the packet isan incoming SYN packet. If it is not a SYN packet, control istransferred to a step 416 and the packet is dropped and the process endsfor that packet. In some embodiments, an error message or a reset may besent to the client.

If the packet is an incoming SYN packet, then control is transferred toa step 418 and the packet is passed through the network stack to theproxy application. A TCB is set up for the connection and the quad ishashed and added to the hash table so that the intercepting controllercan hash the quad for subsequent packets and send them to the TCP layer.In some embodiments, user authentication may be required before theproxy application will open the second connection to the server. Inother embodiment, the proxy opens a connection to the server as soon asthe client connection is terminated.

In a step 430, the packet is added to the proxy quad list. In a step432, the TCP layer of the client network stack sets up a TCB for theconnection and acknowledges the SYN packet so that the connection isterminated by TCP. If the connection is terminated successfully, thencontrol is transferred by a step 434 to a step 436 and data packets arehandled with the proxy application and relayed to the server ifappropriate. Data packets are handled by the proxy until the connectionis closed and then the process ends. If the connection is not terminatedsuccessfully, then control is transferred to a step 438 where the TCB iscleaned up and the process ends.

Thus, an incoming packet is first checked to see whether it is sentdirectly to the proxy. If it is, then the packet is handled by the proxylocal application. If the packet is not to be handled by the proxy, thenthe intercepting controller determines whether or not the packetcorresponds to a connection that is listed in the proxy quad list. If itis, then the packet is proxied and the proxy application determineswhether to relay data to the client. If the quad on the packet header isnot found in the proxy quad list, then, if the packet is an incoming SYNpacket, the intercepting controller passes the packet through thenetwork stack to the proxy application where a determination is madewhether or not to add the connection to the proxy quad list. If theconnection is added, then the connection is terminated and data from theconnection is processed by the proxy application. If the proxyapplication determines that data should be relayed to the server, thendata is passed from the socket on the client side to the socket on theserver side corresponding to the terminated connection between the proxyand the server.

FIG. 5 is a block diagram illustrating the data structure contained inthe proxy quad list. As described above, the proxy quad list is accessedby the intercepting controller for the purpose of determining how tohandle incoming data packets. Each quad in the proxy quad list is storedas a quad object 500. The quad contains a source IP address 502, asource port 504, a destination IP address 506 and a destination port508. In one embodiment, the proxy list quads objects are stored in ahash table. In other embodiments, the objects may be stored in a linklist, each object containing a pointer to the next object or some otherdata structure. It should be noted that other data base structurescontaining the fields corresponding to the quad numbers can also beimplemented in other embodiments.

FIG. 6 is a process flow diagram illustrating the process fordetermining whether to establish an outgoing connection and establishingan outgoing connection with the server so that data from packetsintercepted from clients to be proxied can be transferred to the server.The process starts at 600. In a step 602, a connection is terminatedwith the client, with the proxy pretending to be the server. The proxyreplies to the client's packets by sending packets that give theserver's IP address and port number in the packet IP header. Asdescribed above in connection with FIG. 4, this is done if a SYN packetis intercepted on its way to the client from a source that is authorizedto use the proxy but not authorized to connect directly to the client.

In a step 606, the proxy application decides whether to open aconnection to the server. In some embodiments, the proxy may open aconnection to the server immediately. In other embodiments, somepreliminary authorization procedure is completed first that does notrequire information from the server. If the proxy application decidesnot to proxy the connection, then the connection is dropped in a step608 and the process ends. If the proxy application decides to proxy theconnection, then control is transferred to a step 610 and the proxyapplication sends instructions to the TCP block in the server networkstack to actively connect as the client to the server.

In a step 612, TCP creates an active TCB. In a step 614, the quad forthe connection is stored in a quad list. In a step 616, TCP sends a SYNpacket to the server with the client IP address and port number named asthe source IP address and the port number. In a step 618, the connectionis terminated with the server and the proxy application relays datareceived from the client to the server using the server connection.

FIG. 7 is a block diagram illustrating how a transparent proxy 700handles a proxied connection between a client 702 and a server 704. Oncethe proxy application has terminated a connection with both the clientand the server, data is received from a client socket 706 and relayed toserver socket 708. Likewise, data is received from server socket 708 andrelayed to client socket 706. The proxy maintains a TCB 710 to managethe connection with the client using TCP and a TCB 712 to manage theconnection with the server using TCP. Data in packets from both theclient and the server is read by the proxy. The proxy maintains stateinformation about the client and server connections in an event database714, where events such as a remote close request for one of the socketsor an error are stored. This information is used to determine whether toforward packets. The proxy also determines whether to modify the databefore transferring it from one socket to the other.

FIG. 8 is a process flow diagram illustrating in detail the processimplemented by the proxy for handling data packets which are relayed tothe server as shown in step 412 of FIG. 4. The process starts at 800. Ina step 802, the proxy application receives a data packet from the clientsocket and acknowledges the packet to the client. The IP header of thepacket contains a quad which is in the proxy list and so the data packetwas forwarded to the proxy application for relay to the server. Next, ina step 804, the proxy checks to see if there is a terminated connectionwith the server. If there is not a terminated connection, then controlis transferred to a step 806 and the connection is terminated with theserver. Control is then transferred to a step 808 and the data packet issent to the server. Next, in a step 810 the TCP portion of the servernetwork stack checks whether the server acknowledges the packet. If theserver does not acknowledge, then the packet is resent in a step 812.

Once the server acknowledges the packet, control is transferred to astep 814 and then the proxy application updates the state of the proxiedconnection to reflect the fact that the packet has been successfullyforwarded. In one embodiment, if a packet is not successfully forwarded,then the proxy application notifies the application layer of the machinethat sent the packet that the packet was not properly received or wasnot properly processed. For example, if the server were down and notacknowledging the relayed packets, then the proxy may notify the serverby sending a message that appears to the server to come from the clientapplication. The process then ends.

Once the process illustrated in FIG. 8 has been completed, the datapacket sent from the client to the server has been intercepted by theproxy. The data has been read and acknowledged, and the data has beenforwarded to the server with an IP header that appears as if the datacame from the client. It appears to the client that the acknowledgmentof the packet came from the server. When the server acknowledges thedata packet, the proxy application receives the acknowledgment.

FIG. 9 is a process flow diagram illustrating the process for closing aconnection. The process starts at 900. In a step 902, TCP determinesthat the connection is to be closed. This can be due to an error or aremote machine closing the connection or the proxy closing theconnection. Next, in a step 904, the TCP standard protocol for closing aconnection is followed. That is, a FIN packet is sent, a FIN ACK isreceived, and a final ACK packet is sent. Once the connection is closed,the quad corresponding to the client is dropped from the quad list in astep 906 and the TCB's associated with the client connection and theserver connection are freed in a step 908.

Thus, a transparent proxy has been described which intercepts packetssent to the IP address of a server and determines whether the quad ofthe packet corresponds to a connection that is all ready being proxied,or, if the packet is a SYN packet, whether the quad corresponds to aquad that is a candidate for being proxied. If the quad is a candidatefor being proxied then the packet is transferred to the proxyapplication and the proxy application determines whether or not tocreate a proxied connection. When a proxied connection is created, thenthe quad is added to the proxy quad list and subsequent data from datapackets for that connection are forwarded to the server.

The process of proxying a connection can be described in phases. In thefirst phase, the proxy pretends to be the destination and acknowledgesthe first SYN packet. In a second phase, the proxy applicationdetermines whether it wants to continue the connection. This involvesauthentication of the client. A connection with the server may be set upat that point so that authentication with the server and the proxy arepart of the same process. In a third phase, if the proxy applicationdecides to continue the connection, then a second connection isterminated with the server. Finally, in the fourth phase, data from theclient is relayed to the server and vice versa.

Although the foregoing invention has been described in some detail forpurposes of clarity of understanding, it will be apparent that certainchanges and modifications may be practiced within the scope of theappended claims. It should be noted that there are may alternative waysof implementing both the process and apparatus of the present invention.For example, as noted above, the present invention is implemented on aPIX in one embodiment. In other embodiments, the present invention isimplemented on another fire wall or a multihomed web server.Accordingly, the present embodiments are to be considered asillustrative and not restrictive, and the invention is not to be limitedto the details given herein, but may be modified within the scope andequivalents of the appended claims.

What is claimed is:
 1. A method of transparently proxying a connectionto a protected machine comprising: monitoring communication packetsdirected to the protected machine on a network at a proxy machine, thecommunication packet having a communication packet source address, acommunication packet source port number, a communication packetdestination address, and a communication packet destination port number,the proxy machine being located within a communication path of theprotected machine for monitoring all packets routed to the protectedmachine, the communications packet not being addressed to the proxymachine by the originator of the communication packet under any networkcommunication protocol; determining to intercept the communicationpacket at the proxy machine based on whether the communication packetdestination address and the communication packet destination port numbercorrespond to a protected destination address and a protecteddestination port number stored in a proxy list; determining to proxy aproxied connection associated with the communication packet based on thecommunication packet source address and the communication packet sourceport number; terminating a protected connection from the proxy machineto a protected machine, the protected machine corresponding to thecommunication packet destination address and the communication packetdestination port number, each communication sent from the proxy machineto the protected machine having a header in which the source address andthe source port number are the same as the communication packet sourceaddress and the communication packet source port number; and forming aresponse to the communication packet under a network protocol by sendinga responsive packet from the proxy machine wherein the responsive packethas a header having a responsive packet source address and a responsivepacket source port number wherein the responsive packet source addressand the responsive packet source port number are the same as to thecommunication packet destination source address and the communicationpacket destination port number; whereby the proxy machine terminates aprotected connection to the protected machine and the proxy machineresponds to the communication packet acting on behalf of the protectedmachine and the proxy machine appears to be the protected machine.
 2. Amethod of transparently proxying a connection to a protected machine asrecited in claim 1 wherein the protected machine has a protected machineIP address and the protected machine IP address is the same address asthe communication packet destination address.
 3. A method oftransparently proxying a connection to a protected machine as recited inclaim 1 wherein the communication packet is a SYN packet.
 4. A method oftransparently proxying a connection to a protected machine as recited inclaim 1 wherein the proxy machine terminates an outside connection withan outside machine, the outside machine being the sender of thecommunication packet.
 5. A method of transparently proxying a connectionto a protected machine as recited in claim 4 wherein the proxy machinepretends to be the protected machine on the outside connection.
 6. Amethod of transparently proxying a connection to a protected machine asrecited in claim 5 wherein the proxy machine includes the protectedmachine IP address as the source address in packets that are sent fromthe proxy machine to the outside machine.
 7. A method of transparentlyproxying a connection to a protected machine as recited in claim 4further including receiving on the outside connection an outside datapacket containing outside data from the outside machine, reading theoutside data at the proxy machine, and relaying the outside data to theprotected machine via a socket corresponding to the protectedconnection.
 8. A method of transparently proxying a connection to aprotected machine as recited in claim 7 further including modifying theoutside data at the proxy machine.
 9. A method of transparently proxyinga connection to a protected machine as recited in claim 1 furtherincluding receiving on the protected connection an protected data packetcontaining protected data from the protected machine, reading theprotected data at the proxy machine, and relaying the protected data tothe outside machine via a socket corresponding to the protectedconnection.
 10. A method of transparently proxying a connection to aprotected machine as recited in claim 9 further including modifying theprotected data at the proxy machine.
 11. A method of transparentlyproxying a connection to a protected machine as recited in claim 7further including receiving on the protected connection an protecteddata packet containing protected data from the protected machine,reading the protected data at the proxy machine, and relaying theprotected data to the outside machine via a socket corresponding to theprotected connection.
 12. A method of transparently proxying aconnection to a protected machine as recited in claim 7 wherein theoutside data is used to authenticate the outside machine to theprotected machine.
 13. A method of transparently proxying a connectionto a protected machine as recited in claim 9 wherein the protected dataincludes an authentication request.
 14. A method of transparentlyproxying a connection to a protected machine as recited in claim 7further including requesting and obtaining data from the protectedmachine that is responsive to the outside data.
 15. A method oftransparently proxying a connection to a protected machine as recited inclaim 1 wherein the proxy machine is a web server.
 16. A method oftransparently proxying a connection to a protected machine as recited inclaim 1 wherein the proxy machine is a PIX.
 17. A method oftransparently proxying a connection to a protected machine as recited inclaim 1 wherein the proxy machine is a firewall.
 18. A method oftransparently proxying a connection to a protected machine as recited inclaim 1 wherein an intercepting controller determines whether to directthe communication packet to a local application or a proxy applicationor to drop the communication packet based on a proxy quad list.
 19. Amethod of transparently proxying a connection to a protected machine asrecited in claim 1 wherein the network protocol is TCP.
 20. A method oftransparently proxying a connection to a protected machine comprising:monitoring a communication packet on a network at a proxy machine, thecommunication packet having a communication packet source address, acommunication packet source port number, a communication packetdestination address, and a communication packet destination port number,the communications packet not being addressed to the proxy machine bythe originator of the communication packet under any networkcommunication protocol; determining to intercept the communicationpacket at the proxy machine based on whether the communication packetdestination address and the communication packet destination port numbercorrespond to a protected destination address and a protecteddestination port number stored in a proxy list; determining to proxy aproxied connection associated with the communication packet based on thecommunication packet source address and the communication packet sourceport number; terminating a protected connection from the proxy machineto a protected machine, the protected machine corresponding to thecommunication packet destination address and the communication packetdestination port number, each communication sent from the proxy machineto the protected machine having a header in which the source address andthe source port number are the same as the communication packet sourceaddress and the communication packet source port number; forming aresponse to the communication packet under a network protocol by sendinga responsive packet from the proxy machine wherein the responsive packethas a header having a responsive packet source address and a responsivepacket source port number wherein the responsive packet source addressand the responsive packet source port number are the same as to thecommunication packet destination source address and the communicationpacket destination port number; receiving on an outside connection anoutside data packet containing outside data from an outside machine, theoutside machine being the sender of the communication packet, readingthe outside data at the proxy machine, and relaying the outside data tothe protected machine via a socket corresponding to the protectedconnection; and acknowledging the receipt of the outside data packet atthe proxy machine after a protected machine acknowledges receipt of datacontained in the outside data packet; whereby the proxy machineterminates a protected connection to the protected machine and the proxymachine responds to the communication packet acting on behalf of theprotected machine and the proxy machine appears to be the protectedmachine.
 21. A proxy system for proxying a connection from an outsidemachine to a protected machine comprising: an outside connection stack,the outside connection stack being operative to establish an outsideconnection to an outside party; a proxy quad list, the proxy quad listcontaining a list of proxied connections; an intercepting controller,the intercepting controller being operative to read incoming datapackets, to resolve IP addresses and port numbers to determine whetherthe data packets correspond to a proxied application based on the proxyquad list; and a proxy application, the proxy application beingoperative to determine that a new connection should be added to the quadlist and add the new connection to the quad list, the proxy applicationbeing configured to establish and maintain a proxy connection to theprotected machine by sending communications packets having a header inwhich the source address and the source port number are the same as thesource address and the source port number of the incoming data packets;wherein a proxied connection is maintained.
 22. A method oftransparently proxying a connection to a protected machine as recited inclaim 1 wherein the communication packet is not encapsulated with adevice address of the proxy machine.
 23. A method of transparentlyproxying a connection to a protected machine as recited in claim 1wherein determining to intercept the communication packet at the proxymachine comprises intercepting the communication packet only if thecommunication packet destination address and the communication packetdestination port number correspond to a protected destination addressand a protected destination port number stored in the proxy list or adestination address and a destination port number of the proxy machine.